Integrated circuits are designed typically to operate in two distinct modes, but not at a same time, including a test mode, and a work mode for performing normal processing functions. Integrated circuits of this type are generally referred to as designed for test (DFT). When operating in the test mode, a designer has access to electronic information internal to the integrated circuit, including the contents of memory registers and the step-by-step microcode that is executed within the microprocessor. After a testing operation is completed, the designer switches the integrated circuit to the work mode, and normal processing operations of the integrated circuit are performed.
Entry into the test mode for integrated circuits is often accomplished through one of dynamic entry and static entry. Dynamic entry into the test mode is accomplished by clocking and latching the required test mode condition into the device being tested. The clocking and latching mechanism of dynamic entry offers the advantage of keeping all of the integrated circuit pins free for usage even after the test mode has been entered. However, a disadvantage of dynamic entry is that the test mode may be accidentally entered if the test mode condition is latched into the device when the test mode is not desired.
Static entry into a test mode is accomplished by supplying a static super voltage to one or more pins of the device being tested for the duration of the test mode. Static entry into a test mode is practical when it is other than a requirement that all integrated circuit pins remain available for use during a test mode. Static entry into a test mode offers the advantages of being simpler to implement and easier to escape unintentional entry into a test mode than dynamic entry. Escape from the test mode, after legitimate entry, occurs at any time that the voltage level of the super voltage other than exceeds a predetermined voltage level. Of course, a drawback of static test mode entry is that unintentional entry into a test mode can result from overshoots or undershoots on pins during normal operation in noisy systems.
The prior art methods for placing an integrated circuit into a test mode are suitable when the integrated circuit is used in a system in which privacy and secrecy of the data is other than of critical importance. For instance, in such systems it is other than necessary to ensure that data within the integrated circuit remains inaccessible during operation of the device. In the case of a cryptographic processor system, however, it is a primary concern that external access to the secure electronic keys and/or other cipher data that are stored within the integrated circuit is at all times denied from outside the device. Further, in addition to denying unauthorized access to secure data by an unintended third party, the authorized and intended user of the integrated circuit must also be other than able to probe the contents of the integrated circuit when the integrated circuit is operating in test mode. In fact, a known method to secure data occurs upon detecting an attempt to probe the contents of the integrated circuit, using either electronic or mechanical means, results in clearing, deactivation and/or self-destruction of the encryption unit. Such extreme security precautions are required in order for a cryptographic system to be compliant with existing security protocols, for instance the FIPS-140 requirements.
It will be obvious to one of skill in the art that such extreme security precautions are necessary in order to prevent key compromise, and thus to ensure the integrity and secrecy of the private keys that are stored within the memory circuit of the encryption unit. The compromise of a private key by an unauthorized third party allows immediately any data that is passed through the encryption unit to be converted back into a plain text form and to be read by the third party. When such data includes financial information or information of a personal and confidential nature, then the potential also exists for the unauthorized third party to cause serious inconvenience and/or financial loss to a legitimate user of the encryption unit. Even the compromise of a single bit of a secure key, for instance a 128-bit secure encryption key, reduces the effectiveness of the secure key by a significant factor. Further, it will be obvious to one of skill in the art that since computer processing power continues to double approximately every two years, the secure keys that are in use today are susceptible to key compromise in the future. It is, therefore, of critical importance that encryption systems being implemented in the present are designed such as to prevent the compromise of even a single bit of a secure key stored therein.
Of course, the inability to probe the electronic data contents of a prior art encryption unit precludes the possibility of performing legitimate and often necessary trouble-shooting procedures. In the case of an integrated circuit that is used in an encryption unit, such trouble-shooting is of particular importance since any data that is provided to the unit for encryption is permanently unrecoverable if the encryption unit performs within other than as expected. It is therefore critically important to ensure that the encryption unit is performing as expected prior to providing secure data thereto for encryption. In particular, trouble-shooting functions are often necessary when data that was previously provided to an encryption unit for encryption is other than recoverable by an intended recipient, and when a new encryption unit is added to a computer system.
It would be advantageous to provide a system and a method for placing an integrated circuit of a cryptographic unit into a test mode of operation in a manner that at all times prevents external access to secure data stored therein. It would be further advantageous to provide a system and a method for locking out re-entry into the test mode once the encryption system begins performing secure operations. Further, it would be advantageous to provide a system and a method for placing an integrated circuit of a cryptographic unit into a test mode of operation that is compliant with existing security protocols, for instance the FIPS-140 protocols.